On 6/28/06, Chris Moody <cmoody at qualcomm.com> wrote:
> 'Write net' (or whatever variation necessary) should be relatively easy
> to implement (however, we all know that IOS CLI is a bit of a bugger
> sometimes for scripts).
Risks and headaches of scripting the CLI are exactly why I went with
the Cisco SNMP solution -- we have technical and political cause not
to have a Unix machine/script with "enable" access into
production-critical Cisco gear.
By using Cisco's "snmp-server view", the community string can only do
one thing -- trigger a "write net". And with "snmp-server
tftp-server-list", the destination of the write net command can also
be locked down.
This solution gives me much more confidence in the security of the
design than if I were to use "clogin". Compromise the machine on
which the script runs, and you still don't automatically own the Cisco
routers -- all you can do to the router for which you have a community
is have it send the configuration to the server, you can't even
exploit this to TFTP the configuration to an unapproved destination!
> I'm actually about to tackle this exact task (rancid CVS -and- tftp
> repository). While this may seem redundant, I have some engineers that
> prefer having a tftp source available for config uploads. I need to
> have the CVS change repository, but also have a readily available (and
> simple) source for staff to be able to do uploads when devices die.
This is part of why I started looking at rancid -- I want to have a
TFTP server with the latest configurations to do restores, but not
include passwords and crypto secrets -- I started scripting Perl to
remove these, and that's how I ran into rancid.
>p.s. Great work Michael. Sharp addition. :o)
I will likely hook my Perl script into Michael's "wrancid".